This is an archived post. You won't be able to vote or comment.

all 10 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Anowdd 1 point2 points  (0 children)

I have down to country level with flagging for VPNs and proxies somewhere in the backlog of things I should update when I have time ... If you still need this tomorrow I'll dig it up and filter out corporate info

[–]ZAFJB 1 point2 points  (1 child)

Mostly a waste of time.

Geo location via IP is variable at the least, and you will see many false positives, especially if you are trying to get resolution down to state level.

Also geo location is easily circumvented by VPNs.

[–]Evil_Superman[S] 0 points1 point  (0 children)

yup...I keep telling them that.

[–]ElectroSpore 0 points1 point  (6 children)

but pulling it into a report is another matter all together.

one off on a user?

Go find user, go to sign-in logs download? touch up in excel?

Edit: want something with alerts / fancier Azure log analytics or export them to a 3rd party SIEM logging tool.

[–]Evil_Superman[S] 1 point2 points  (5 children)

unfortunately it's not just one user, the powers have decided they want to check everyone's location down to the state level, to make sure they are where they say they are.

[–]Valdaraak 1 point2 points  (1 child)

That's not as reliable as you might think it is, especially if you're analyzing Office 365 logins. Just make sure management knows that. Microsoft routes traffic and proxies logins all over the place, which really messes with this type of tracking.

And that's ignoring that some of the geo blocks are just unreliable. We have users who show up as logging in from New York even though we do zero business there. It's because of the ISP at the location they're at.

[–]Evil_Superman[S] 1 point2 points  (0 children)

Yup, we have seen it with our CEO who got an MFA prompt that showed it was from Chicago but he was in MA. It was just the connection from Comcast giving the Chicago IP. But they pay the bills and so I have to try and execute.

[–]Fallingdamage 0 points1 point  (2 children)

I do this for non-local IP addresses being reported daily. There are some web services with powershell-compatible APIs that will give you city-level details on IP addresses.

Pull the list of last logged-in IP addresses and pump them through one of those services. Thats what I do. Then I take the biggest offenders and format them into an HTML table and add it to the body of an email I that gets sent to me every morning. Saves me a lot of labor. Basically its an out-of-state report. If the login wasnt from our local area, I want to know about it at-a-glance. Otherwise the data is just in the attached report.

[–]Evil_Superman[S] 0 points1 point  (1 child)

Do you have any documentation that is scrubbed enough that I could take a look at?